aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEvgeny Grin (Karlson2k) <k2k@narod.ru>2022-07-20 17:16:58 +0300
committerEvgeny Grin (Karlson2k) <k2k@narod.ru>2022-07-21 15:07:07 +0300
commit69aec9dc33b71c782075a263f1484945f399078f (patch)
tree029c10a8330435cdd8b891f1960f17830bf370a6
parentb528bec9c1a9332c49813d8e3df7dcc0eb7b63db (diff)
downloadlibmicrohttpd-69aec9dc33b71c782075a263f1484945f399078f.tar.gz
libmicrohttpd-69aec9dc33b71c782075a263f1484945f399078f.zip
digest_auth_check(): updated the order of parameters check
If more than one parameter is wrong, then the first checked wrong parameter will be reported, so check the most important parameters first.
-rw-r--r--src/microhttpd/digestauth.c82
1 files changed, 43 insertions, 39 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index 6bb2aa22..46c47eda 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -1937,6 +1937,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
1937 return MHD_DAUTH_WRONG_HEADER; 1937 return MHD_DAUTH_WRONG_HEADER;
1938 1938
1939 /* ** A quick check for presence of all required parameters ** */ 1939 /* ** A quick check for presence of all required parameters ** */
1940
1940 if ((NULL == params->username.value.str) && 1941 if ((NULL == params->username.value.str) &&
1941 (NULL == params->username_ext.value.str)) 1942 (NULL == params->username_ext.value.str))
1942 return MHD_DAUTH_WRONG_HEADER; 1943 return MHD_DAUTH_WRONG_HEADER;
@@ -1950,13 +1951,6 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
1950 if (NULL == params->realm.value.str) 1951 if (NULL == params->realm.value.str)
1951 return MHD_DAUTH_WRONG_HEADER; 1952 return MHD_DAUTH_WRONG_HEADER;
1952 1953
1953 if (NULL == params->nonce.value.str)
1954 return MHD_DAUTH_WRONG_HEADER;
1955 else if (0 == params->nonce.value.len)
1956 return MHD_DAUTH_NONCE_WRONG;
1957 else if (NONCE_STD_LEN (digest_size) * 2 < params->nonce.value.len)
1958 return MHD_DAUTH_NONCE_WRONG;
1959
1960 if (NULL == params->nc.value.str) 1954 if (NULL == params->nc.value.str)
1961 return MHD_DAUTH_WRONG_HEADER; 1955 return MHD_DAUTH_WRONG_HEADER;
1962 else if (0 == params->nc.value.len) 1956 else if (0 == params->nc.value.len)
@@ -1978,13 +1972,6 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
1978 else if (MHD_STATICSTR_LEN_ ("auth-int") * 2 < params->qop.value.len) 1972 else if (MHD_STATICSTR_LEN_ ("auth-int") * 2 < params->qop.value.len)
1979 return MHD_DAUTH_WRONG_QOP; 1973 return MHD_DAUTH_WRONG_QOP;
1980 1974
1981 if (NULL == params->response.value.str)
1982 return MHD_DAUTH_WRONG_HEADER;
1983 else if (0 == params->response.value.len)
1984 return MHD_DAUTH_RESPONSE_WRONG;
1985 else if (digest_size * 4 < params->response.value.len)
1986 return MHD_DAUTH_RESPONSE_WRONG;
1987
1988 if (NULL == params->uri.value.str) 1975 if (NULL == params->uri.value.str)
1989 return MHD_DAUTH_WRONG_HEADER; 1976 return MHD_DAUTH_WRONG_HEADER;
1990 else if (0 == params->uri.value.len) 1977 else if (0 == params->uri.value.len)
@@ -1992,8 +1979,47 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
1992 else if (_MHD_AUTH_DIGEST_MAX_PARAM_SIZE < params->uri.value.len) 1979 else if (_MHD_AUTH_DIGEST_MAX_PARAM_SIZE < params->uri.value.len)
1993 return MHD_DAUTH_TOO_LARGE; 1980 return MHD_DAUTH_TOO_LARGE;
1994 1981
1982 if (NULL == params->nonce.value.str)
1983 return MHD_DAUTH_WRONG_HEADER;
1984 else if (0 == params->nonce.value.len)
1985 return MHD_DAUTH_NONCE_WRONG;
1986 else if (NONCE_STD_LEN (digest_size) * 2 < params->nonce.value.len)
1987 return MHD_DAUTH_NONCE_WRONG;
1988
1989 if (NULL == params->response.value.str)
1990 return MHD_DAUTH_WRONG_HEADER;
1991 else if (0 == params->response.value.len)
1992 return MHD_DAUTH_RESPONSE_WRONG;
1993 else if (digest_size * 4 < params->response.value.len)
1994 return MHD_DAUTH_RESPONSE_WRONG;
1995
1995 /* ** Check simple parameters match ** */ 1996 /* ** Check simple parameters match ** */
1996 1997
1998 /* Check 'algorithm' */
1999 if (1)
2000 {
2001 const enum MHD_DigestAuthAlgo3 r_algo = get_rq_algo (params);
2002 const enum MHD_DigestBaseAlgo p_algo = da->algo;
2003 if ( (! ((MHD_DIGEST_AUTH_ALGO3_MD5 == r_algo) &&
2004 (MHD_DIGEST_BASE_ALGO_MD5 == p_algo))) &&
2005 (! ((MHD_DIGEST_AUTH_ALGO3_SHA256 == r_algo) &&
2006 (MHD_DIGEST_BASE_ALGO_SHA256 == p_algo))) )
2007 return MHD_DAUTH_WRONG_ALGO;
2008 }
2009 /* 'algorithm' valid */
2010
2011 /* Check 'qop' */
2012 /* TODO: support MHD_DIGEST_AUTH_QOP_NONE and MHD_DIGEST_AUTH_QOP_AUTH_INT */
2013 if (MHD_DIGEST_AUTH_QOP_AUTH != get_rq_qop (params))
2014 return MHD_DAUTH_WRONG_QOP;
2015 /* 'qop' valid */
2016
2017 /* Check 'realm' */
2018 realm_len = strlen (realm);
2019 if (! is_param_equal (&params->realm, realm, realm_len))
2020 return MHD_DAUTH_WRONG_REALM;
2021 /* 'realm' valid */
2022
1997 /* Check 'username' */ 2023 /* Check 'username' */
1998 username_len = strlen (username); 2024 username_len = strlen (username);
1999 if (NULL != params->username.value.str) 2025 if (NULL != params->username.value.str)
@@ -2026,32 +2052,8 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2026 } 2052 }
2027 /* 'username' valid */ 2053 /* 'username' valid */
2028 2054
2029 /* Check 'realm' */
2030 realm_len = strlen (realm);
2031 if (! is_param_equal (&params->realm, realm, realm_len))
2032 return MHD_DAUTH_WRONG_REALM;
2033 /* 'realm' valid */
2034
2035 /* Check 'qop' */
2036 /* TODO: support MHD_DIGEST_AUTH_QOP_NONE and MHD_DIGEST_AUTH_QOP_AUTH_INT */
2037 if (MHD_DIGEST_AUTH_QOP_AUTH != get_rq_qop (params))
2038 return MHD_DAUTH_WRONG_QOP;
2039 /* 'qop' valid */
2040
2041 /* Check 'algorithm' */
2042 if (1)
2043 {
2044 const enum MHD_DigestAuthAlgo3 r_algo = get_rq_algo (params);
2045 const enum MHD_DigestBaseAlgo p_algo = da->algo;
2046 if ( (! ((MHD_DIGEST_AUTH_ALGO3_MD5 == r_algo) &&
2047 (MHD_DIGEST_BASE_ALGO_MD5 == p_algo))) &&
2048 (! ((MHD_DIGEST_AUTH_ALGO3_SHA256 == r_algo) &&
2049 (MHD_DIGEST_BASE_ALGO_SHA256 == p_algo))) )
2050 return MHD_DAUTH_WRONG_ALGO;
2051 }
2052 /* 'algorithm' valid */
2053
2054 /* ** Do basic nonce and nonce-counter checks (size, timestamp) ** */ 2055 /* ** Do basic nonce and nonce-counter checks (size, timestamp) ** */
2056
2055 /* Get 'nc' digital value */ 2057 /* Get 'nc' digital value */
2056 unq_res = get_unquoted_param (&params->nc, tmp1, ptmp2, &tmp2_size, 2058 unq_res = get_unquoted_param (&params->nc, tmp1, ptmp2, &tmp2_size,
2057 &unquoted); 2059 &unquoted);
@@ -2137,6 +2139,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2137 not used before */ 2139 not used before */
2138 2140
2139 /* ** Build H(A2) and check URI match in the header and in the request ** */ 2141 /* ** Build H(A2) and check URI match in the header and in the request ** */
2142
2140 /* Get 'uri' */ 2143 /* Get 'uri' */
2141 digest_init (da); 2144 digest_init (da);
2142 digest_update_str (da, connection->method); 2145 digest_update_str (da, connection->method);
@@ -2173,6 +2176,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2173 /* Got H(A1) */ 2176 /* Got H(A1) */
2174 2177
2175 /* ** Check 'response' ** */ 2178 /* ** Check 'response' ** */
2179
2176 digest_init (da); 2180 digest_init (da);
2177 /* Update digest with H(A1) */ 2181 /* Update digest with H(A1) */
2178 mhd_assert (sizeof (tmp1) >= (digest_size * 2 + 1)); 2182 mhd_assert (sizeof (tmp1) >= (digest_size * 2 + 1));